Summary I found heap-buffer-overflow in file tiffcrop.c, line 7847 ``` ASAN: ==2645091==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x617000000315 at pc 0x00000049523a bp 0x7fff94259ea0 sp 0x7fff94259668 READ of size 9 at 0x617000000315 thread T0 #0 0x495239 in __asan_memcpy (/usr/local/bin/tiffcrop+0x495239) #1 0x5f029e in _TIFFmemcpy /root/gitlab/commit/libtiff_test/libtiff/tif_unix.c:345:5 #2 0x507a79 in extractImageSection /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:7847:17 #3 0x4e8f7c in writeImageSections /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:8124:13 #4 0x4cee30 in main /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:2868:21 #5 0x7fcb7106a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #6 0x41d6ad in _start (/usr/local/bin/tiffcrop+0x41d6ad) 0x617000000315 is located 0 bytes to the right of 661-byte region [0x617000000080,0x617000000315) allocated by thread T0 here: #0 0x495ded in malloc (/usr/local/bin/tiffcrop+0x495ded) #1 0x5f0086 in _TIFFmalloc /root/gitlab/commit/libtiff_test/libtiff/tif_unix.c:326:13 #2 0x4ed440 in limitMalloc /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:709:12 #3 0x4d4b50 in loadImage /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:7113:26 #4 0x4ce28d in main /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:2782:17 #5 0x7fcb7106a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/local/bin/tiffcrop+0x495239) in __asan_memcpy Shadow bytes around the buggy address: 0x0c2e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2e7fff8060: 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2645091==ABORTING ``` Version: LIBTIFF, Version 4.5 Steps to reproduce ``` CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-g -O0 -fsanitize=address,leak -fno-omit-frame-pointer" CXXFLAGS="-g -O0 -fsanitize=address,leak -fno-omit-frame-pointer" ./configure --disable-shared make & make install /usr/local/bin/tiffcrop -R 270 -S 8:4 -O landscape -E b -e divided -F hor -w 10 -U cm -m 1,2,3,4 -i poc /tmp/foo ``` Platform ubuntu20, x86 POC: [poc1](/uploads/559ed61f00c26e7ddd1b33ac1e719a89/poc1)